Avatar of sunhux
sunhux
 asked on

Audit mandates MS SQL service accounts expiration: whats practice out there

Audit mandated we must enable  password expiry for MS SQL accounts though we say they're service accounts:

from DBA: change cannot be implemented as it will expire service accounts
Set the 'CHECK_EXPIRATION' Option to ON for All SQL Authenticated Logins Within the Sysadmin Role

What's the practice out there?  
Can we automate changing the password quarterly & yet not affect service accounts (which I assume
do not need to know the password)?  One of them is nagios

Or set the accounts to non-interactive & how to do it for MS SQL?
DatabasesMicrosoft SQL ServerOS SecuritySecurity

Avatar of undefined
Last Comment
Chris Geraghty

8/22/2022 - Mon
Partha Mandayam

You can enforce password expiration quarterly and force the user to change password

https://www.mssqltips.com/sqlservertip/1088/sql-server-login-properties-to-enforce-password-policies-and-expiration/
sunhux

ASKER
Thanks, we're fully aware of what you've suggested but there are numerous
such service accounts which if the password are not changed (manually)
in time, will cause disruption ... too risky
ASKER CERTIFIED SOLUTION
Chris Geraghty

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Partha Mandayam

So what exactly you want
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
sunhux

ASKER
Is there such thing as 'non-interactive accounts for MS SQL'
that Windows have & in Unix, we set the SHELL to /bin/nologin?
sunhux

ASKER
Chris' solution is almost there, just that we're on MS SQL 2012
sunhux

ASKER
On reading the full content of the link from Chris, noted:
"This implementation is done using Windows Server 2012 Active Directory domain controllers (DCs), all servers running Windows Server 2012 or Windows Server 2012 R2, and SQL Server 2016 CTP 3.2."

Just that we are still on Win2008 R2 AD (support expiring on Jan 2020) & we're
struggling to upgrade our AD to Win2016
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
sunhux

ASKER
Another remark from the link:
"Passwords are very complex and changed automatically as often as desired (by default every 30 days). ..
  In addition, they cannot be used to interactively logon"

Is there any way in my MS SQL 2012 on Win 2008 R2 AD to make those service accounts "non-interactive";
it's fine if they don't expire periodically
SOLUTION
Chris Geraghty

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.